[Rt-commit] rt branch 5.0/add-samesite-cookie-options created. rt-5.0.2-283-g7cd2ca4722

BPS Git Server git at git.bestpractical.com
Mon Jun 27 21:53:39 UTC 2022


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0/add-samesite-cookie-options has been created
        at  7cd2ca4722241f3833b51ff697651ef5182314ab (commit)

- Log -----------------------------------------------------------------
commit 7cd2ca4722241f3833b51ff697651ef5182314ab
Author: Brian Conry <bconry at bestpractical.com>
Date:   Mon Jun 27 16:49:03 2022 -0500

    Update default value for WebSecureCookie
    
    Previously $WebSecureCookie defaulted to '0', so RT did not set the
    'Secure' attribute on the session cookies.
    
    This changes the default to '1' so that session cookies are flagged as
    'Secure' by default.  This will generally cause browsers to require an
    SSL connection to the server and may also change how the cookies are
    cached.

diff --git a/docs/UPGRADING-5.0 b/docs/UPGRADING-5.0
index 2d7db363a6..bbdfbdc556 100644
--- a/docs/UPGRADING-5.0
+++ b/docs/UPGRADING-5.0
@@ -465,4 +465,25 @@ you can try switching to EXACT and testing performance after upgrading.
 
 =back
 
+=head1 UPGRADING FROM 5.0.3 AND EARLIER
+
+=over 4
+
+=item * Updated defaults for web session cookies
+
+The previous default value for the configuration option C<$WebSecureCookies>
+was '0', meaning that RT did not, by default, set the C<Secure> option on
+session cookies.  The default for this option has been changed to '1', which
+will require all users to connect to the RT instance over SSL and will trigger
+other changes in browser behavior, such as cookie caching.
+
+RT previously did not set a C<SameSite> policy for session cookies.  How this
+is handled by browsers varies.  RT 5.0.4 introcuces the configuration option
+C<$WebSameSiteCOokies> with a default value of 'Lax', which provides
+additional defense against CSRF attacks in some browsers.  See
+L<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite>
+for more details on valid values, their meaning, and browser support.
+
+=back
+
 =cut
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6df0e7cbb8..5e3194d264 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1415,17 +1415,16 @@ Set($WebSameSiteCookies, 'Lax');
 
 =item C<$WebSecureCookies>
 
-By default, RT's session cookie isn't marked as "secure". Some web
+By default, RT's session cookie is marked as "secure". Some web
 browsers will treat secure cookies more carefully than non-secure
 ones, being careful not to write them to disk, only sending them over
-an SSL secured connection, and so on. To enable this behavior, set
-C<$WebSecureCookies> to 1.  NOTE: You probably don't want to turn this
-on I<unless> users are only connecting via SSL encrypted HTTPS
-connections.
+an SSL secured connection, and so on. To disable this behavior, set
+C<$WebSecureCookies> to 0.  NOTE: You probably don't want to turn this
+off I<unless> user connections to RT are secured by some other method.
 
 =cut
 
-Set($WebSecureCookies, 0);
+Set($WebSecureCookies, 1);
 
 =item C<$WebHttpOnlyCookies>
 

commit 4b910c9808446e23fee83a23c526989b5ae7e1aa
Author: Brian Conry <bconry at bestpractical.com>
Date:   Fri Jun 17 17:17:01 2022 -0500

    Add SameSite to cookies from WebSameSiteCookies
    
    This change adds the SameSite option to RT's session cookies, with a
    default value of 'Lax', providing a reasonable amount of protection
    against CSRF attacks while still allowing most integrations of RT with
    other systems.
    
    It also provides a config option, WebSameSiteCookies to allow the value
    to be changed from the default.  Current standards allow values of
    'Strict', 'Lax', and 'None'.  Any value other than these will cause a
    warning to be logged.  Current standards also require the Secure option
    to be set on the cookie when using the 'None' value, so a warning is
    logged if 'None' is specified and WebSecureCookies isn't set.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 1b7720241e..6df0e7cbb8 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1400,6 +1400,19 @@ this if you display additional information on the logout page.
 
 Set($LogoutRefresh, 1);
 
+=item C<$WebSameSiteCookies>
+
+By default, RT's session cookie uses the "Lax" policy for SameSite,
+preventing many classes of CSRF attacks.  Other possible values are 
+"Secure", which provides additional protection but may break some
+integrations of RT with other applications, and "None", which provides
+the least protection against CSRF attacks and also requires C<WebSecureCookies>
+to be set to 1.
+
+=cut
+
+Set($WebSameSiteCookies, 'Lax');
+
 =item C<$WebSecureCookies>
 
 By default, RT's session cookie isn't marked as "secure". Some web
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 89276eeba7..43b5601f1a 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1778,6 +1778,26 @@ our %META;
     WebRemoteUserGecos => {
         Widget => '/Widgets/Form/Boolean',
     },
+    WebSameSiteCookies => {
+        Widget => '/Widgets/Form/String',
+        PostLoadCheck => sub {
+            my $self = shift;
+            my $value = $self->Get('WebSameSiteCookies');
+
+            # while both of these detected conditions are against current web standards,
+            # web standards have been known to change so these are only logged as warnings.
+            if ($value !~ /^(Strict|Lax)$/i) {
+                if ($value =~ /^None$/i) {
+                    if (not $self->Get('WebSecureCookies')) {
+                        RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' and WebSecureCookies is not set, browsers may reject the cookies.");
+                    }
+                }
+                else {
+                    RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' not known to be in the standard.");
+                }
+            }
+        },
+    },
     WebSecureCookies => {
         Widget => '/Widgets/Form/Boolean',
     },
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 82bd3d04c6..6c3fcdc875 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -967,6 +967,7 @@ sub SendSessionCookie {
         -name     => _SessionCookieName(),
         -value    => $HTML::Mason::Commands::session{_session_id},
         -path     => RT->Config->Get('WebPath'),
+        -samesite => RT->Config->Get('WebSameSiteCookies'),
         -secure   => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
         -httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
     );

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt


More information about the rt-commit mailing list